Tuesday, September 8, 2015

AppLock Android App Used by 100 Million Users is Easily Hackable and Useless


applock-useless-hackShort Bytes: Popular Android app AppLock is used by more than 100 million people. According to the researchers, the app is providing a false sense of security to the users as the app is easily hackable and useless.
Millions of users use the Android applications known as app lockers to protect their pictures, messages, and other files. With these apps, you can lock your contacts, Facebook, gallery, texts, call logs to restrict the unauthorized access. One of the most popular apps named AppLock falls in the same category and it’s #1 app locker in more than 50 countries with more than 100 million users. This app promises to provide complete security to the users, but the security researchers at SecuriTeam have reported three easily exploitable flaws in the AppLock Android application. According to the security firm, the app exposes user data even when the application is using a PIN.
In the AppLock application, the researchers found 3 vulnerabilities. These vulnerabilities are:
  • The first vulnerability shows that your pictures and videos are not encrypted and they are just hidden from the users. They can be recovered with their original filenames without any root permission.
  • The second vulnerability deals with the root permission and how one can easily remove the PIN code from the app and add it to others. A person can also change the existing PIN.
  • The third and most critical vulnerability talks about the PIN bypass. By exploiting this vulnerability, one can reset the PIN code without root permissions and take full control of the device.
The PIN bypass flaw allows the attacker to intercept HTTP request and responses while trying to recover a lost PIN. This is due to the weak reset PIN mechanism. In this situation, an attacker can reset the password by sending the PIN to his/her own email. Along the same lines, in the app, there is a lack of encryption that allows the attacker to access the files inside AppLock’s SQLite database.
These vulnerabilities and steps to access locked files is shared in details on the SecuriTeam blog.